[Federated Authentication] Integrating Google OpenID-Connect Authentication with WSO2 Identity Server

In my previous blog post , we went through how you can configure the SAML2 SSO web application with Identity Server. Users authenticate to Identity Server by proving username/password. These username/password must be authenticated with the enterprise user store that identity server has been deployed. Therefore only the user who are in the enterprise user store can access the web application.

Assume, you have a new requirement that web application must be made publicly available and user can access the web application using social logins such as Google, Facebook and Windows-live and so on.

Today let see how we can allow users to login to web application using Google authentication.

Identity Server can be integrated with Google authentication with two ways..

  • OpenID  (Identity Server has a default Federated Authenticator for this)
  • OpenID-Connect

Let see how we can do it using OpenID-Connect

Register OAuth 2.0 Application in Google

Step1. Lets register the OAuth 2.0 application in Google. You find more details from here

You want to configure the redirect url as the following url of the Identity Server


By default it would be


You can see following authentication details that we need for future use

Configure Google as OpenID Connect IDP

Step1. Login Identity Server managemet console
Step2. Register new IDP
You need provide a name for IDP config

Go to “OAuth2/OpenID Connect Configuration” and Register following details.

1. Enable / Default – You can enable and set as default

2. Authorization Endpoint URL – https://accounts.google.com/o/oauth2/auth

3. Token Endpoint URL – https://accounts.google.com/o/oauth2/token

4. Client Id – You can get from created OAuth 2.0 Application

5. Client Secret – You can get from created OAuth 2.0 Application

6. Additional Query Parameters – scope=openid

Now you are done with configuring the Google as trusted IDP

Step 3. Configure Google-IDP as Federated IDP for Web application.

There are two ways that you can configure the Google IDP as Federated IDP.

One way is, just configure it as a federated authentication IDP for web application. Then, once user tries to access the web application, user would be redirect Google login page via the identity Server. In here, only the users who can be authenticated via Google IDP, can login to web application.

Or less, you can configure using Advance Configuration. Here we configure one step that contains two option of authentication. One is basic authentication that allows to authenticate users from enterprise user store. Other one is Google IDP. Once you configure like this, users who are accessing to web application would be promoted a IDP login page with both options. Therefore users from Google IDP and enterprise user store can login to web application.

Step 4. Try out .. lets try to login to web application.  If you have configured using Advance Configuration, you would see following login page in the Identity Server.

Once you click on Google IDP,  You would be redirected to Google login page..

Analyze the results


Identity Server would receive the ID Token after authentication with the Google. ID Token looks like following.


Value contian the the “sub” element would be taken as the user name by default.

Lets say, you want to add email in to the ID Token then you need to define the scope as scope=openid email



Then you would receive the email addrress in the ID Token as follows.

{"iss":"accounts.google.com","sub":"117401226438100183502","azp":"786904166750-vmgmr35v125a0on5be8eptvssln6caga.apps.googleusercontent.com","email":"[email protected]","at_hash":"-R00nkVQRaL9PGakHlyJ3Q","email_verified":true,"aud":"786904166750-vmgmr35v125a0on5be8eptvssln6caga.apps.googleusercontent.com","hd":"soasecurity.org","iat":1417555970,"exp":1417559870}

If you need to send the email to web application as an attribute, you must do some additional claim mappings.

In IDP configuration,  you need to map IDP claim in to the Local claim.  I am mapping “email”  IDP claim to   “http://wso2.org/claims/emailaddress” local claim



In SP configuration,  you can select what claim to sent to the your web application, inside the SAML Token.  As mentioned in my previous post, we can do the SP claim mapping as following.


Thanks for reading…!!!